The personal information you give to businesses may not be as secure as you hope, according to a new survey.
Around 55 percent of all businesses acknowledge that they secure credit card information but not Social Security numbers, bank account details, and other personal data, according to a survey of more than 500 companies released Wednesday by Imperva and Ponemon Institute.
The survey was conducted to determine how many companies are complying with PCI DSS, the Payment Card Industry's Data Security Standard. PCI DSS tries to ensure that businesses take specific measures to secure their Web sites, databases, and other systems that process and store credit card information.
Of the companies surveyed, 71 percent acknowledged not making data security a top initiative, despite the fact that 79 percent of them said they've been hit by one or more data breaches. In fact, Ponemon and Imperva noted that since the PCI DSS standard was enacted in 2005, the number of breaches and cases of credit card fraud has actually risen.
(Credit:
Imperva)
Cost and lack of resources were the biggest factors cited for not focusing on PCI DSS compliance. For those reasons, larger firms fared better than smaller ones. Only 28 percent of businesses with 501 to 1,000 employees were compliant as opposed to 70 percent of companies with 75,000 or more employees.
"Companies devote 35 percent of their IT security budgets to PCI compliance on average, making cost a significant obstacle, especially for smaller companies," Amichai Shulman, Imperva's chief technology officer, said in a statement. "This is why Imperva is recommending that the PCI DSS Council modify the requirements for larger and smaller companies to take into account different environments and security needs."
Another problem stems from the priorities of the organization itself. Of those questioned, 55 percent didn't feel their CEO strongly supports PCI DSS compliance, while 52 percent said their company is not proactive in managing privacy or security risks.
On the positive side, PCI DSS compliance has found a certain measure of success. Around 75 percent of those surveyed said their company has achieved some level of compliance, with 28 percent compliant for most of their applications and databases and 25 percent compliant for some apps and databases. Only 22 percent reported being fully compliant.
(Credit:
Imperva)
Conducted by Ponemon and sponsored by Imperva, the survey questioned 517 U.S. and multinational IT security professionals who work on PCI compliance efforts for their companies.
Over the past few years, data breaches at large organizations such as T.J. Maxx and Marshalls parent company TJX and Maine-based Hannaford Supermarkets have highlighted the need for better security for credit card and customer records.
More records were breached in 2008 than in the previous four years combined as a result of a few large breaches involving payment cards, according to a report released on Wednesday.
Last year, 295 million records were compromised and there were 90 confirmed breaches, the Verizon Business 2009 Data Breach Investigations Report (PDF) found.
The top five breaches accounted for 93 percent of total records compromised and as a percentage of caseload, 80 percent were payment card breaches while payment card data represented 98 percent of all records compromised last year.
PIN data was increasingly targeted in 2008 in attacks in which magnetic-stripe data and PIN data was used for identity fraud. For example, criminals used the data to make ATM withdrawals from victim's accounts.
PIN data stolen in a breach at payment processor RBS WorldPay was used to clone cards and withdraw millions of dollars from victim bank accounts last year. Meanwhile, payment processor Heartland had a huge data breach of its own last year that it reported in January and there have been reports of another breach at an unidentified institution.
More than three-fourths of organizations suffering payment card breaches were found to be not compliant with PCI data security standards or had never been audited. The typical organization had met less than a third of the requirements in the standards, the report found.
This chart shows threat categories by percent of breaches (black) and records (red).
(Credit: Verizon)Of the total breaches, 75 percent came from external sources, 39 percent involved multiple parties, 32 percent involved business partners and in 20 percent of the cases insiders were implicated. Three-fourths of the breaches were undiscovered and uncontained for weeks or months.
As far as types of breaches, 64 percent resulted from malicious hacking, 38 percent used malware, 22 percent involved privileged misuse, and 9 percent used physical attacks such as equipment theft or tampering.
In about four of 10 hacking-related breaches, an attacker gained unauthorized access to the victim via one of the many types of remote access and management software, typically provisioned to third-parties for remote administration.
During 2008, malware was involved in more than one-third of the cases investigated and contributed to nine out of 10 of all records breached.
"Malware is now an essential component to nearly all large-scale data breach scenarios," the report said. "Hacking gets the criminal in the door, but malware gets him the data."
- prev
- 1
- next
